I recently learned that any software I install on my PC can access the files on my computer.
This means that any program I install on my PC could potentially read my Obsidian vault and even send it to their servers!
This worries me, since I literally have my whole life written in my Obsidian vault.
So I have two questions:
Is this correct? Is it really possible or is it very unlikely that software would actually check and steal my computer files?
Do you personally implement any measures to protect the vault from being accessed by other software?
Well first of all, yes it’s true. But I’m not sure this question has much to do with Obsidian exactly. This is basic computer security.
Ultimately, you should only install and run software you trust. (Easier said than done sometimes.) That includes things like tools, scripts, and plugins. Most legitimate software will be very unlikely to be snooping on you. Maybe that’s becoming less true with the explosion of AI features and data collection. Malware is something you should definitely protect yourself against.
If you are syncing your files into a cloud-based tool, that account should be protected with a good strong password.
If you are storing sensitive information such as passwords, you should consider storing that information in an encrypted password manager, instead of a plain-text note app.
Are you on a shared computer with family or coworkers?
Are you storing life secrets like a journal that would feel embarrassing if someone read it, or sensitive knowledge that you must protect for work/business, etc.?
For some things you want to keep private, you can store it in an encrypted volume, like BitLocker or Veracrypt. But as far as I know that only protects it while it’s unmounted. You need to mount it to access it.
I’m sure others might have more or better advice. (Although I’m not sure if this is exactly on-topic for the Obsidian forum, as this would be relevant to any data you keep on a computer, period.)
Thank you for the answer. I know this question is about computer security in general.
But since in Obsidian many of us store a huge amount of information about ourselves and our work, preventing those details from leaking is paramount.
So I was wondering if anyone has set up Obsidian in a way that prevents software, even trusted software, from accessing Obsidian files, because access to those files could reveal a perfect profile of who I am, my private information, my work and so on.
As you said I don’t think that encrypting with tools like Veracrypt would help much, since I always keep Obsidian open and for this reason it would be unencrypted most of the time.
Someone in another community suggested giving access to Obsidian only to users with admin privileges. But I have no idea if it is a good solution or how to implement it since I am not very tech savvy.
You’re right to think about privacy and security. But again, this has nothing to do with Obsidian, per se. You are storing information all over your computer. This is just a desktop operating issue in general.
Access to the program is different than access to the plain-text files on your computer. Blocking MS Word won’t protect your .doc files. Changing access to admin-only will also block Obsidian if Obsidian is run by a non-admin user. And if you are running as an admin user, then the software you install as an admin will still have access. So that really doesn’t seem like a viable solution.
But I suppose you could make a separate user account where you store your vault, and be much more mindful about what software you allow to run in that account.
So you mentioned “private information”. And again, if you are storing things like passwords, or I dunno, passport number, SIN, or other things you need to reference only occasionally, keep those things outside of your vault, in an encrypted tool.
I don’t. As far as I know (and I’m not a security expert) untargeted theft of personal data like notes isn’t a common threat, presumably because it’s a less efficient way to make money than stealing login credentials, scamming, or ransoming. (If you’re famous, subject to government or industrial espionage, or a target of harassers, it will be more of a concern.)
Your question stoked my curiosity, so I did a little searching. Windows has a feature called Controlled Folder Access in Windows Security under Ransomware. It was turned off in my Windows 11 installation. From what I read it trusts apps through its own internal mechanism. You can add apps but can’t remove the system trusted apps. Also, it applies to a number of folders (like Documents, Pictures, Music…). I turned it on for now, but it will not do what you are looking for.
I did not try this, but it may offer a solution for you. I just don’t have the time to try it out. It looks like you can add encryption to Obsidian in the form of community plugins. It seems your notes are encrypted by the plugin on disk, then when you access them with Obsidian, they are decrypted in memory. If another program, Notepad, tries to open one of these files I imagine it looks like random characters. I’d call that privacy protection, not protection from corruption by another program.
Maybe you can experiment with some of these plugins? I just searched “encrypt” in the plugin search and got back 14 possibilities.
I’d be interested in your results if you try this out.
By the way, while reading a bit about the issue, it seems Windows bases access on users, not applications.
I’m assuming you’re on Windows, which has… security concerns… in a very general sense. Windows 11, especially, is pretty bad for privacy. If you haven’t already, using something like WinAero Tweaker to purge various bloat and telemetry can help keep things protected (don’t go all willy-nilly with it and pick every option, though; you’ll make your computer unusable). That will help in a general sense.
If you have a bit of technical know-how, you can create containers using Docker or Podman to create protected containers that are only accessible with certain applications, but this will take some tweaking and technical skills.
If I’ve completely missed the mark and you’re on Linux, a mixture of CHMOD and ACLs can lock down a directory so only specific applications can peek into them.
Ultimately, I’d suspect a Docker/Podman setup with only Obsidian and your vault in the container would be the easiest setup.